Perhaps it's a stupid question, but when I use TElWinCertStorage.Validate does this method check the revocation status of the certificate against the CRL eventually contained in the certificate itself?

No, it's a task of a user application to download a CRL and then validate the certificate against this CRL (do I understand you right that you mean the CRL that is specified by a path in certificate extensions?).

Innokentiy Ivanov wrote:
No, it's a task of a user application to download a CRL and then validate the certificate against this CRL (do I understand you right that you mean the CRL that is specified by a path in certificate extensions?).

Yes, the path of the CRL is specified in the certificate extensions.

So basically I have to check the CRLDistributionPoints, get the url of the crl, download it, and then check against that?

But, the certificates I'm using contain an ldap url in the CRLDistributionPoint, isn't that supposed to be used to make a query instead of downloading the whole CRL?

So basically I have to check the CRLDistributionPoints, get the url of the crl, download it, and then check against that?

Yes. Please note, that the CRL accessible by the path specified in CRL distribution points extension contains revocation information for the certificates *issued* by this certificate (i.e., this CRL cannot be used to validate the certificate in whose extension it is specified).

Quote

But, the certificates I'm using contain an ldap url in the CRLDistributionPoint, isn't that supposed to be used to make a query instead of downloading the whole CRL?

As far as I understand, the provided LDAP URL should be used to download the CRL, isn't it?

Yes the CRL info found should be used to validate the certificates issued by that certificate. Infact, for a specific certificate, I am looking at the CRL info contained in the issuer certificate during validation, although the certificate itself contains the same CRL info for some reason.

As for the LDAP url I am not really sure, hoped you knew better.

Regarding the actual revocation status check: when TElWinCertStorage.Validate is called, one of the reasons for invalidity can be SBX509.Unit.vrRevoked, but you've told me that I have to do the revocation check myself, when/how is SBX509.Unit.vrRevoked returned by SBB then?

Regarding the actual revocation status check: when TElWinCertStorage.Validate is called, one of the reasons for invalidity can be SBX509.Unit.vrRevoked, but you've told me that I have to do the revocation check myself, when/how is SBX509.Unit.vrRevoked returned by SBB then?

You can force descendants of TElCustomCertStorage to check certificates against a CRL assigned to the TElCustomCertStorage.CRL property. However, this makes little sense with TElWinCertStorage, as TElWinCertStorage usually contains a number of certificates issued by different CA's, so you will need to assign a different CRL (corresponding to a particular CA) each time the certificate is validated.

We use cookies to help provide you with the best possible online experience. By using this site, you agree that we may store and access cookies on your device. You can find out more about and set your own preferences here.